PSD2 Authentication Deadline Extended: Here's What's Next

Now that the deadline for all e-commerce card-based transactions in the EU to comply with the new PSD2 "strong customer authentication" requirement has officially been extended to Dec. 31, 2020, authorities are emphasizing the need to make a smooth, uniform migration to the new forms of authentication.

The original deadline, which was Sept. 14, 2019, had been put on hold by several nations after various players cited difficulties in meeting the requirements.

The
European Banking Authority has instructed the National Competent Authorities in all EU member nations to take a consistent approach toward the migration to the new authentication method. An EBA spokesperson acknowledged that the complexity of the migration led to the decision to postpone the deadline to help ensure uniform movement to new forms of authentication throughout Europe.

Many merchants, in particular, were not ready to comply with the original deadline, says Nick Maynard, lead analyst at U.K.-based Juniper Research. "Retailers have not yet made the necessary changes to their payment and authentication systems, and banks have had a difficult time in terms of preparing their merchants for the implementation, he says.

"If the right measures of understanding are put in place now, then SCA will become natural very quickly," Jackie Barwell, director of fraud product management at ACI Worldwide, told Mobile Payments Today. "What will cause friction however, is a lack of a consistent approach to SCA by individual users."

The Requirements

PSD2, the Revised Payment Services Directive for the European Union, is designed to increase pan-European competition and participation in the payments industry, including fintech players, and harmonize consumer protections.

The strong customer authentication provision of the law requires the use of multifactor authentication to help improve security. Carrying out that mandate has proven difficult for a number of reasons, security experts say, including the development and implementation of the necessary APIs to pave the way for data exchange among many players.

The PSD2 provision requires authentication using at least two of the following three factors:

Something the cardholder "knows," such as a password or PIN;

Something the cardholder "has," such as a token or mobile phone;

Something the cardholder "is," such as a fingerprint or voice match.

Monitoring Migration Plans

EBA says that instead of pursuing immediate enforcement actions for compliance with the PSD2 authentication requirements, the NCAs will focus on monitoring migration plans.

EBA notes payment service providers are liable for any fraud and any unauthorized payment transactions that takes place under the under Article 74 of the PSD2 after SCA takes full effect next year.

"With the delay of the 'strong customer authentication' regulation, many in the online payments and ecommerce sectors in the U.K. may be breathing a huge sigh of relief today," says Michal Kissos Hertzog, CEO at the online bank Pepper. "Yet there must be a realization that online payments are changing all the time, and due to this, the value proposition and user experience must evolve constantly too - especially around ensuring it is safe and secure."

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;